diff --git a/pkg/services/accesscontrol/database/database.go b/pkg/services/accesscontrol/database/database.go
index f056555313f..8b704ddd7bb 100644
--- a/pkg/services/accesscontrol/database/database.go
+++ b/pkg/services/accesscontrol/database/database.go
@@ -61,7 +61,7 @@ func (s *AccessControlStore) GetUserPermissions(ctx context.Context, query acces
 
 func userRolesFilter(orgID, userID int64, roles []string) (string, []interface{}) {
 	params := []interface{}{}
-	q := `WHERE role.id IN (`
+	q := `INNER JOIN (`
 
 	// This is an additional security. We should never have permissions granted to userID 0.
 	// Only allow real users to get user/team permissions (anonymous/apikeys)
@@ -95,7 +95,7 @@ func userRolesFilter(orgID, userID int64, roles []string) (string, []interface{}
 		params = append(params, orgID, globalOrgID)
 	}
 
-	q += `)`
+	q += `) as all_role ON role.id = all_role.role_id`
 
 	return q, params
 }